Good patch, although I think this should be *enabled* by default. If
you want Javascript to steal your session cookies, you can set the
config option manually.
Regards,
Jonathan Rockway
On Sun, May 31, 2009 at 04:17:44PM -0400, kmx via RT wrote:
Show quoted text> Sun May 31 16:17:43 2009: Request 46556 was acted upon.
> Transaction: Ticket created by kmx@volny.cz
> Queue: Catalyst-Plugin-Session-State-Cookie
> Subject: [PATCH] httponly cookie flag support proposal
> Broken in: (no value)
> Severity: (no value)
> Owner: Nobody
> Requestors: kmx@volny.cz
> Status: new
> Ticket <URL:
http://rt.cpan.org/Ticket/Display.html?id=46556 >
>
>
> Hi,
>
> please consider the enclosed simple patch for HTTPOnly flag support. The
> patch requires trunk version of Catalyst::Engine - see my commit:
>
http://dev.catalystframework.org/svnweb/Catalyst/revision/?rev=10404
>
> --
> kmx
>
> #####
> --- 0.11/lib/Catalyst/Plugin/Session/State/Cookie.pm
> +++ 0.11p/lib/Catalyst/Plugin/Session/State/Cookie.pm
> @@ -73,7 +73,6 @@
> }
>
> $cookie->{secure} = 1 if $cfg->{cookie_secure};
> + $cookie->{httponly} = 1 if $cfg->{cookie_httponly};
>
> return $cookie;
> }
> @@ -225,16 +224,6 @@
>
> If this attribute set true, the cookie will only be sent via HTTPS.
>
> +=item cookie_httponly
> +
> +If this attribute set true, the cookie will got HTTPOnly flag that should
> +prevent client side Javascript accessing the cookie value - this makes some
> +sort of session hijacking attacks significantly harder. Unfortunately
> not all
> +browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if
> +a browser is not aware of HTTPOnly the flag will be ignored.
> +
> +This parameter is not supported with Catalyst::Runtime 5.80004 and before.
> +
> =item cookie_path
>
> The path of the request url where cookie should be baked.
>
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <font face="Helvetica, Arial, sans-serif">Hi,<br>
> <br>
> please consider the enclosed simple patch for HTTPOnly flag support.
> The patch requires trunk version of Catalyst::Engine - see my commit:
> <a class="moz-txt-link-freetext" href="http://dev.catalystframework.org/svnweb/Catalyst/revision/?rev=10404">
http://dev.catalystframework.org/svnweb/Catalyst/revision/?rev=10404</a><br>
> <br>
> --<br>
> kmx<br>
> <br>
> #####<br>
> --- 0.11/lib/Catalyst/Plugin/Session/State/Cookie.pm<br>
> +++ 0.11p/lib/Catalyst/Plugin/Session/State/Cookie.pm<br>
> @@ -73,7 +73,6 @@<br>
> }<br>
> <br>
> $cookie->{secure} = 1 if $cfg->{cookie_secure};<br>
> + $cookie->{httponly} = 1 if $cfg->{cookie_httponly};<br>
> <br>
> return $cookie;<br>
> }<br>
> @@ -225,16 +224,6 @@<br>
> <br>
> If this attribute set true, the cookie will only be sent via HTTPS.<br>
> <br>
> +=item cookie_httponly<br>
> +<br>
> +If this attribute set true, the cookie will got HTTPOnly flag that
> should<br>
> +prevent client side Javascript accessing the cookie value - this makes
> some<br>
> +sort of session hijacking attacks significantly harder. Unfortunately
> not all<br>
> +browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera
> 9.5+); if<br>
> +a browser is not aware of HTTPOnly the flag will be ignored.<br>
> +<br>
> +This parameter is not supported with Catalyst::Runtime 5.80004 and
> before.<br>
> +<br>
> =item cookie_path<br>
> <br>
> The path of the request url where cookie should be baked.<br>
> <br>
> </font>
> </body>
> </html>
